I am using Joomla 3.7.2, have changed all passwords and usernames, reloaded the sites from a backup before this started, added jHackguard to the sites, made sure nothing is writable and checked the sites with Sucuri Site Check and IsItHacked? And still somehow they are inserting php files in various folders (not always the same ones) - that are unwritable - that are sending out SPAM. Sometimes my ISP is able to catch the emails before they go out and deletes thousands of them at a time. This is happening on 3 of our 13 sites and there is no addon only used by those 3 sites. It also seemed to happen when our ISP moved to a cloud server.....I don't know what else to do.

Does JHackguard or Sucuri check file integrity or scan for recently changed files? If not, get RSFirewall. The hackers may have placed files deep within your system directories and are able to get in via those files. It's also possible that they placed files in the hosting root, (outside public_html or htdocs).

My ISP found and deleted some of the files and I have found a couple more - buried deep. I do believe that IsItHacked watches for Spam links, but somehow they are getting through anyway. I will look into RSFirewall....

bevco wrote:I have been finding strange files and deleting them - will get to the above asap. ...

Deleting strange files is not enough. Every file you find and delete the hackers will probably upload another 3.

Yes hackers plural ... once a hacker has found a weakness in your site they post the vulnerability on hack forums. Then other hackers use it to put their own hack files on. There will be hack files all over the server and in genuine files. Cherry picking files to delete will just have you running around in circles. Unless you hire a professional to clean your site then your only viable option is to delete ALL the files after running the fpa.

It might be easier for you to rebuild the site (with fresh files) on localhost before deleting all the files from the server. If you do that then put your sites off line until you are ready to delete the files from the server.

bevco wrote:...
Would going with MyJoomla or RSFirewall correct this without having to rebuild?

MyJoomla has a good reputation and should be able to clean your server. If you want a professional service I would highly recommend you use them. Not sure if RsJoomla provide a service to clean hacked sites.